Configure policies for RAM users to access Container Registry - Container Registry

Alibaba Cloud allows you to use Resource Access Management (RAM) and Security Token Service (STS) to control access to repositories in a flexible and secure way. This topic describes how to configure access control for repositories in different scenarios.

Prerequisites

A RAM user is created by using your Alibaba Cloud account. For more information, see Create a RAM user.

Background information

By default, an Alibaba Cloud account has full access permissions on the resources that belong to the account. You can use RAM and STS to grant different permissions on image resources to different RAM users and provide temporary access permissions. Before you configure authorization policies, read RAM documentation.

Important

After you configure authorization policies for a RAM user, you must use the RAM user to log on to the Container Registry console, create a Personal Edition instance, and set a password for the Container Registry instance before you can view the images on which the RAM user has permissions.

RAM authorization

When you authorize a RAM user, pay attention to the following instructions to make sure that you do not grant excessive permissions to the RAM user.

Important

You may grant a RAM user the AdministratorAccess permission that contains management permissions on all Alibaba Cloud resources. In this case, the RAM user has all permissions on Container Registry, regardless of whether the RAM user is granted permissions before.

Attach system policies to a RAM user

By default, the AliyunContainerRegistryFullAccess and AliyunContainerRegistryReadOnlyAccess policies are created for Container Registry. You can directly attach the policies to a RAM user. The following part describes the two system policies:

AliyunContainerRegistryFullAccess
This policy grants a RAM user the same permissions on image resources as those of an Alibaba Cloud account. The RAM user can perform all operations on image resources.
```
{
  "Statement": [
    {
      "Action": "cr:*",
      "Effect": "Allow",
      "Resource": "*"
    }
  ],
  "Version": "1"
}
                    
```

AliyunContainerRegistryReadOnlyAccess

This policy grants a RAM user the read-only permissions on all image resources. For example, the RAM user can view the repository list and pull images.

{
  "Statement": [
    {
      "Action": [
        "cr:Get*",
        "cr:List*",
        "cr:Pull*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ],
  "Version": "1"
}

The following example shows how to attach the AliyunContainerRegistryReadOnlyAccess policy to a RAM user:

Log on to the RAM console with an Alibaba Cloud account.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
In the Add Permissions panel, grant permissions to the RAM user.
1. Select the authorization scope.
  - Alibaba Cloud Account: The permissions take effect on the current Alibaba Cloud account.
  - Specific Resource Group: The permissions take effect in a specific resource group.
    Note If you select Specific Resource Group for Authorized Scope, you must make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
2. Specify the principal.
  The principal is the RAM user to which you want to grant permissions.
3. In the Select Policy section, click System Policy, enter AliyunContainerRegistryReadOnlyAccess in the field, and then click AliyunContainerRegistryReadOnlyAccess.
Click OK.
Click Complete.

Authentication rules of Container Registry

ARN format

The following table describes the ARN format in an authorization policy when you authorize RAM users to access the resources.

Resource type	ARN format in an authorization policy
*	acs:cr:$regionid:$accountid:*
instance	acs:cr:$regionid:$accountid:instance/$instanceid
repository	acs:cr:$regionid:$accountid:repository/$instanceid/* acs:cr:$regionid:$accountid:repository/$instanceid acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/* acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename
chart	acs:cr:$regionid:$accountid:chart/$instanceid/* acs:cr:$regionid:$accountid:chart/$instanceid acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/* acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/<br>$chartrepositoryname

The following table describes the parameters in the preceding statement.

Parameter	Description
regionid	The ID of the region, which can be replaced by asterisks (*).
accountid	The ID of the Alibaba Cloud account, which can be replaced by asterisks (*).
instanceid	The ID of the Container Registry Enterprise Edition instance.
namespacename	The name of the namespace.
repositoryname	The name of the image repository.
chartnamespacename	The name of the chart namespace.
chartrepositoryname	The name of the chart repository.

Authorization rules

When you access the Container Registry API as a RAM user or by using STS, Container Registry checks whether you have obtained the required permissions. The permissions that Container Registry checks vary based on the resources that are requested by the API operation and the syntax of the API operation. The following table describes the authentication rules for different API operations.

Note

The asterisk (*) is used as a wildcard.

API operation	Action	Resource
GetAuthorizationToken	cr:GetAuthorizationToken	*
GetChartNamespace	cr:GetNamespace	acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename
GetChartRepository	cr:GetRepository	acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
GetInstance	cr:GetInstance	acs:cr:$regionid:$accountid:instance/$instanceid
GetInstanceCount	cr:ListInstance	*
GetInstanceEndpoint	cr:GetInstanceEndpoint	acs:cr:$regionid:$accountid:instance/$instanceid
GetInstanceUsage	cr:GetInstanceUsage	acs:cr:$regionid:$accountid:instance/$instanceid
GetInstanceVpcEndpoint	cr:GetInstanceVpcEndpoint	acs:cr:$regionid:$accountid:instance/$instanceid
GetNamespace	cr:GetNamespace	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename
GetRepoBuildRecord	cr:GetRepositoryBuildRecord	acs:cr:$regionid:$accountid:repository/$instanceid
GetRepoBuildRecordStatus	cr:GetBuildRepositoryStatus	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
GetRepoSyncTask	cr:GetRepositorySync	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
GetRepoTagLayers	cr:GetRepositoryLayers	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
GetRepoTagManifest	cr:GetRepositoryManifest	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
GetRepoTagScanTask	cr:GetScan	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
GetRepository	cr:GetRepository	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
ListChartNamespace	cr:ListNamespace	acs:cr:$regionid:$accountid:chart/$instanceid/*
ListChartRelease	cr:ListChartRelease	acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
ListChartRepository	cr:ListRepository	acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/*
ListInstance	cr:ListInstance	*
ListInstanceEndpoint	cr:ListInstanceEndpoint	acs:cr:$regionid:$accountid:repository/$instanceid
ListNamespace	cr:ListNamespace	acs:cr:$regionid:$accountid:repository/$instanceid/*
ListRepoBuildRecord	cr:ListRepositoryBuild	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
ListRepoBuildRecordLog	cr:GetRepositoryBuildLog	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
ListRepoBuildRule	cr:ListRepositoryBuildRule	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
ListRepoSyncRule	cr:ListSyncRule	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
ListRepoSyncTask	cr:GetRepositorySync	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
ListRepoTag	cr:ListRepositoryTag	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
ListRepoTrigger	cr:ListWebHook	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
ListRepoTriggerLog	cr:GetWebHookLog	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
ListRepoTriggerRecord	cr:GetWebHookLog	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
ListRepository	cr:ListRepository	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/*
CancelRepoBuildRecord	cr:CancelBuildRepository	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
CreateBuildRecordByRule	cr:BuildRepositoryByRule	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
CreateChartNamespace	cr:CreateNamespace	acs:cr:$regionid:$accountid:chart/$instanceid
CreateInstanceEndpointAclPolicy	cr:CreateInstanceEndpointAclPolicy	acs:cr:$regionid:$accountid:instance/$instanceid
CreateInstanceVpcEndpointLinkedVpc	cr:CreateInstanceVpcEndpointLinkedVpc	acs:cr:$regionid:$accountid:instance/$instanceid
CreateNamespace	cr:CreateNamespace	acs:cr:$regionid:$accountid:repository/$instanceid
CreateRepoBuildRule	cr:CreateRepositoryBuildRule	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
CreateRepoSyncRule	cr:CreateSyncRule	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
CreateRepoSyncTaskByRule	cr:CreateRepositorySync	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
CreateRepoTrigger	cr:CreateWebHook	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
CreateRepository	cr:CreateRepository	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename
DeleteChartNamespace	cr:DeleteNamespace	acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename
DeleteChartRelease	cr:DeleteChartRelease	acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
DeleteChartRepository	cr:DeleteRepository	acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
DeleteInstanceEndpointAclPolicy	cr:DeleteInstanceEndpointAclPolicy	acs:cr:$regionid:$accountid:instance/$instanceid
DeleteInstanceVpcEndpointLinkedVpc	cr:DeleteInstanceVpcEndpointLinkedVpc	acs:cr:$regionid:$accountid:instance/$instanceid
DeleteNamespace	cr:DeleteNamespace	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename
DeleteRepoBuildRule	cr:DeleteRepositoryBuildRule	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
DeleteRepoSyncRule	cr:DeleteSyncRule	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
DeleteRepoTag	cr:DeleteRepositoryTag	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
DeleteRepoTrigger	cr:DeleteWebHook	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
DeleteRepository	cr:DeleteRepository	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
UpdateChartNamespace	cr:UpdateNamespace	acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename
UpdateChartRepository	cr:UpdateRepository	acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
UpdateInstanceEndpointStatus	cr:UpdateInstanceEndpointStatus	acs:cr:$regionid:$accountid:instance/$instanceid
UpdateNamespace	cr:UpdateNamespace	acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename
UpdateRepoBuildRule	cr:UpdateRepositoryBuildRule	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
UpdateRepoTrigger	cr:UpdateWebHook	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
UpdateRepository	cr:UpdateRepository	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
PullRepository	cr:PullRepository	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
PushRepository	cr:PushRepository	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
PullChart	cr:PullChart	acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
PushChart	cr:PushChart	acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
PutScan	cr:PutScan	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
GetScan	cr:GetScan	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
GetScanStatus	cr:GetScanStatus	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
ListScanResult	cr:ListScanResult	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
GetScanCount	cr:GetScanCount	acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname